Read of my efforts to be an exemplary class rep. in the Elvey v. TD Ameritrade pump-n-dump spam and Identity Theft litigation. (I discovered the information security breach by which the Social Security Numbers of all 6.3 million AMTD customers were compromised and proved that known criminals had gained access to the database they were in. )

July 11, 2008

What’s this website all about? (sticky post)

(UPDATED December, 2011) Finally, a little of TD Ameritrade’s money is going to a few of the class members it ripped off. It’s taken 6 years to get here! Though TD Ameritrade refuses to pass a security audit and covered up the breach, the government (in the form of the SEC and the federal judiciary), and the Financial Industry’s self-Regulatory-organization Authority (FINRA, nee NASD) have let it off with a ‘slap on the wrist’ that will have no material impact on the company. I guesstimate the ‘slap on the wrist’ was over $40 million:$6.5 million for the settlement, plus the cost of my attorneys, their attorneys, printing, stuffing and mailing over 12 million letters, litigation costs (flying dozens of attorneys to San Francisco), increased insurance costs, loss of business, etc. Criminals had gained ongoing access to TD Ameritrade’s customer database back in October, 2005. This database contains 6.3 million+ customers’ names, addresses, mailing addresses, email addresses, trading histories, account numbers, account balances, dates of birth – oh, and social security numbers too. AMTD knew of, covered up, and failed to fix the problem for TWO YEARS. How do I know this?

Notes for new readers:

If you’re new here or found this useful, or just want to offer your support, please add a comment. I will keep the comment private, if you prefer.

This article is sticky, which means it always appears at the top. Other articles appear below this one, newest first.

Like on many blogs, only part of each article on the site appears on the main page. (The whole article becomes viewable if you click the title.) The bulk of the article becomes viewable if you click the “(more…)” tag after reading to the end of the teaser text. Like this:

…and here’s the rest of the article:
The email addresses of a whole bunch of their customers were of a special kind, commonly called disposable email addresses, or DEAs, including mine. These customers had each given a particular email address, only to Ameritrade. And they started receiving pump-n-dumpspam to these addresses. Many of them contacted Ameritrade, and explained that this spam (which was sent through a botnet and had falsified headers) was strong evidence that Ameritrade had a security breach. A couple dozen wrote about doing so in various public media, from usenet, to blogs, to forums, to mailing lists, to news articles. Ameritrade neither publicly acknowledged the existence of nor closed the security hole. Even as many victims explained to Ameritrade, one after another, that their systems were secure (or at least secure enough to make it impossible for someone to obtain the abused DEAs through a breach of their systems without having left evidence of a DHA), Ameritrade insisted that they had no evidence of a breach. Ameritrade continued to claim to see no evidence of a breach, despite the conclusive evidence, complaints to the SEC, and complaints from what I estimate was hundreds customers – as it was likely larger than the number that had complained publicly. (It’s hard to see with your head stuck in the sand, so this claim is understandable.)

Many customers complained that when they gave Ameritrade new email addresses, these got spammed as well, which showed that the breach was ongoing. I finally got fed up, told them I’d sue them if they didn’t fix the breach, found an attorney and sued them. The day before a judge was to rule on an injunction ordering them to disclose the breach to their customers, they put out a masterpiece of PR – a letter, a video from the then-CEO, and a FAQ on their corporate website – not admitting to any wrongdoing, and making the impression that there had been a minor incident – nothing unusual, and that there was no cause for concern – customer assets were secure. And yet, some TWO YEARS after having acknowledged receipt of detailed complaints (that provided IMNSHO irrefutable evidence of a hole), they acknowledged having just found and closed it.

Ameritrade claimed to be “investigating with the FBI”, however the FBI agent who would have performed such an investigation confirmed last month that there had still been no such investigation.

From AMTD’s press release: “TD AMERITRADE Holding Corporation (NASDAQ:AMTD) has discovered … unauthorized code … that allowed access to an internal database. … While more sensitive information like account numbers, date of birth and Social Security Numbers (SSNs) is stored in this database, there is no evidence that it was taken.” There is no evidence it was not taken either. [New: We have learned that AMTD has found conclusive evidence that more sensitive information was taken, but has refused to disclose or share that evidence with us.] We know the data was in a completely ‘compromised’ database, so it in fact WAS ‘compromised’. AMTD is simply claiming that it’s possible that the criminals that broke in and stole the email addresses but left the SSNs. AMTD itself has not provided and has not publicly claimed to have evidence that names, addresses or phone numbers were retrieved from this database either. In other words, the only public evidence of the latter is the spam itself (provided by AMTD customers). Essentially, AMTD is claiming that it’s plausible that crooks breaking into the equivalent of Fort Knox would leave the gold (the Social Security Numbers) and just take the silver (the email addresses).

They are very strongly implying (but not claiming) that there was no identity theft, as they have no known basis for making such a claim. And yet they are demanding that as part of the settlement, the class give up all rights to sue as a class for compensation, should stronger evidence of ID theft turn up. They can’t have their cake and eat it too. They should either compensate the class for losses due to identity theft, or not ask the class to give up any rights related to identity theft.

My attorneys attempted to negotiate with Ameritrade, and I attempted to do so, through them. But it was not to be; there appeared to be productive negotiation, with concessions on both sides, and it seemed that there were some details to work out, but the outline of an agreement had taken shape. Much later, I finally obtained an early formal written version of the settlement, and it bore little resemblance to what had been worked out so far, and then I was repeatedly threatened. The threats forced me to, in order to protect the interests of the class, temporarily appear in some way to be going along with a proposed settlement that I felt, for the reasons I’ve started to outline in other posts, was a betrayal of the class, and not a reasonable compromise at all. In court on June 12, 2008, I disclosed that I did not agree with the settlement, and that I had been threatened.

Judge Vaughn Walker is famous for being an expressive advocate of active, involved class reps. We’ll see what he decides. My strong opposition to the settlement agreement my attorneys negotiated means there’s a conflict of interest, and I need to find new counsel.